What are the CCPA requirements for collecting email addresses in person at a brick and mortar store?

Key findings

• Applicability: Brick-and-mortar businesses are not exempt from CCPA compliance, meaning information collected offline, including email addresses, is subject to the same rules as online data collection.
• Personal information: Email addresses are unequivocally classified as personal information under CCPA.
• Notice at collection: Businesses must provide a clear Notice at Collection to consumers at or before the point of collecting their personal information, detailing the categories of data being collected and the purposes for which it will be used. This applies to in-person interactions as well.
• Consumer rights: Consumers retain rights to know what information is collected, to request deletion of their data, and to opt-out of the sale or sharing of their personal information, regardless of how it was collected.
• Opt-out methods: Covered businesses must offer at least two methods for consumers to submit requests, which can include offline methods like in-store forms, especially if the business primarily interacts with customers offline.

Key considerations

• Transparency is key: Always inform consumers clearly and concisely about data collection practices, even for a simple email receipt request. This builds trust and helps with compliance.
• Data quality: Email addresses collected manually at the point of sale may have higher rates of errors or invalid entries. Implementing a process for email validation on sign-up is advisable to maintain list hygiene.
• Consent management: Ensure that collecting an email for a receipt does not automatically imply consent for marketing communications. Explicit consent should be obtained for marketing purposes, aligning with best practices for email subscription permissions.
• Consult legal counsel: Due to the evolving nature and nuances of privacy laws like CCPA, it is crucial for businesses to consult with legal professionals experienced in data privacy to ensure full compliance.

Key opinions

• Receipt emails: The idea that collecting an email for a receipt is forbidden under CCPA is widely considered far-fetched by marketers, as it is a common and necessary business practice.
• Implementation challenges: Marketers acknowledge that fulfilling CCPA requirements like notice at collection can be trickier in a physical retail environment compared to an online interface.
• Data hygiene: Emails collected manually at points of sale are often prone to errors, making data quality and cleansing important for subsequent marketing use.
• No blanket prohibition: The core principle is not a ban on collection, but rather a requirement for transparency, consumer control, and proper handling of personal information.

Key considerations

• Clear communication: Marketers should ensure staff are trained to clearly communicate how email addresses will be used and what consumer rights apply, especially if it extends beyond a simple receipt.
• Opt-in processes: If collecting emails for marketing, establish a clear and verifiable opt-in process in-store, separate from transactional data collection. This aligns with standard email marketing opt-in best practices.
• Privacy policy accessibility: Ensure your privacy policy is easily accessible, perhaps via a QR code or a clear sign, directing consumers to where they can review their rights and your data practices.

Key opinions

• Universal application: CCPA does not distinguish between online and offline data collection, meaning email addresses collected in a brick-and-mortar store are as much personally identifiable information (PII) as those collected via a website form.
• Operational challenges: The primary difficulty for physical stores is not prohibition but the logistical challenge of providing the required disclosures and methods for consumer rights requests in an in-person setting.
• Data lifecycle management: Experts recommend establishing clear processes for how email data, once collected in-store, is managed through its lifecycle, including consent, usage, storage, and deletion.
• Avoiding blocklists: Poor data collection practices, even in person, can lead to spam complaints and ultimately land your sending IP or domain on an email blocklist (or blacklist), impacting deliverability across all channels.

Key considerations

• Review existing processes: Businesses should assess their current in-store email collection methods to ensure they align with CCPA's principles of transparency and consumer rights.
• Staff training: Train retail staff on CCPA basics, particularly how to properly inform customers about data collection and how to handle consumer rights requests in person.
• Cross-channel consistency: Ensure that privacy practices for email addresses collected in person are consistent with those for online collection, providing a unified approach to consumer data rights.

Key findings

• Broad definition of 'collect': CCPA's definition of 'collects' personal information includes gathering, obtaining, receiving, or accessing it by any means, encompassing in-person collection.
• Offline notice requirement: Businesses that primarily interact with consumers offline must provide notice of their data collection practices via an offline method that facilitates consumer awareness of their rights.
• Offline request methods: For businesses operating websites but primarily interacting in person, the regulations require offering in-store consumers a form for submitting CCPA rights requests.
• Personal information categories: Email addresses fall under the specified categories of personal information regulated by CCPA.

Key considerations

• Review regulations regularly: The specific guidance for CCPA and its amendments, like CPRA, can evolve. Businesses should regularly review official documentation from the California Attorney General's office.
• Documentation of practices: Maintain comprehensive records of data collection practices, including those for in-person email capture, to demonstrate compliance if audited.
• Accessibility of rights: Ensure consumers can easily exercise their rights (e.g., deletion, access) for emails collected in person, which may require integrating offline data with online management systems.